Jenkins is great at telling me when there are updates available for 
Jenkins's core or when there are security vulnerabilities in plug-ins. This 
it does with a "nice-fat-red" number of vulnerabilities on the top of the 
web page when I am logged in. And when one clicks on that, you get a nice 
synopsis such as:


<https://i.stack.imgur.com/BviMV.png>



(Yes, I've already updated my Jenkins instance to patch these issues, post 
screen-shot).


However, I cannot find any system setting or plug-in which will notify me 
(presumably via email) when there is a core or plug-in update which is 
available to mitigate a vulnerability, or even when there are ANY updates 
to apply.


I have used the CLI (via SSH) to find a way to list the plug-ins with 
updates available, as in this very hackish approach which relies on the 
formatting of the list-plugins command:


$ ssh -l USER -p PORT JENKINS.domain list-plugins | egrep '\([0-9.]+\)' | 
sort
ant                         Ant Plugin                      1.9 (1.10)
antisamy-markup-formatter   OWASP Markup Formatter Plugin   1.5 (1.6)
branch-api                  Branch API Plugin               2.5.3 (2.5.4)
...


But I have not found any way via the CLI to:


   - distinguish between security updates and general/feature updates
   - identify core updates

I've also looked at the jenkins log (/var/lib/jenkins/jenkins.log on 
Ubuntu) to no avail.


*Specific question*: Is there a setting (and I've looked extensively) or 
plug-in (or even CLI method) which will provide the warnings / 
vulnerabilities without being forced to login to Jenkins' web interface and 
look manually?


Yes, I'm subscribed to the "Security advisories" mailing list 
<https://groups.google.com/forum/m/#!forum/jenkinsci-advisories>, and while 
it provides indications of core updates w.r.t. vulnerabilities, it's not as 
helpful for plug-ins - that is, not only would I have to look at all the 
plug-ins that are listed as being patched, but it doesn't, AFAICT, tell me 
when there are unpatched vulnerabilities.


*General question*: How should I go about ensuring that my Jenkins 
installation is automatically kept up-to-date, including all plug-ins? 
Ideally this would be with respect to security vulnerabilities only, 
leaving feature updates aside.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/04730f67-7b82-43ff-8f2a-ee5ccc421170%40googlegroups.com.

Reply via email to